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Guaranteeing non-repudiation, unforgeability as well as transferability of a signature is one of the 
most vital safeguards in today’s e-commerce era. Based on fundamental laws of quantum physics, 
quantum digital signature (QDS) aims to provide information-theoretic security for this crypto¬ 
graphic task. However, up to date, the previously proposed QDS protocols are impractical due to 
various challenging problems and most importantly, the requirement of authenticated (secure) quan¬ 
tum channels between participants. Here, we present the hrst quantum digital signature protocol 
that removes the assumption of authenticated quantum channels while remaining secure against the 
collective attacks. Besides, our QDS protocol can be practically implemented over more than 100 
km under current mature technology as used in quantum key distribution. 

PACS numbers: 03.67.Dd, 03.67.Hk, 03.67.Ac 


I. INTRODUCTION 

Digital signatures aim to certify the provenance and 
identity of a message as well as the authenticity of a 
signature. They are widely applied in e-mails, financial 
transactions, electronic contracts, software distribution 
and so on. However, relying on mathematical complex¬ 
ities, classical digital signature schemes become vulner¬ 
able to quantum computing attacks. Though there are 
some classical unconditionally secure signature schemes 
EHI, a resource-expensive assumption exists therein, 
namely, the secure classical channels between the par¬ 
ticipants. Quantum digital signature (QDS) bases on 
fundamental laws of quantum physics to guarantee its 
information-theoretic security. Since Gottesman and 
Chuang proposed the first QDS protocol @, a quantum 
version of Lamport’s scheme Q, the following problems 
appear therein: (PI) requiring the authenticated quan¬ 
tum channels, (P2) the preparation and transmission of 
complex one-way function quantum states, (P3) requir¬ 
ing long-term quantum memory, and (P4) other chal¬ 
lenging operations, such as performing SWAP test on 
the states. A novel approach uses linear optics and pho¬ 
ton detectors to circumvent the requirement for quantum 
memory and complex state preparation @ and replaces 
the SWAP test with an optical multiport Q, yet lead¬ 
ing to another challenging technology—long-distance sta¬ 
bilization of the Mach-Zehnder interferometer 0. Up 
to date, an obviously serious problem left for a feasible 
QDS protocol is the impractical assumption of the au¬ 
thenticated quantum channels between participants be¬ 
ing available. 
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The authenticated quantum channels are equivalent to 
the secure quantum channels that do not allow any eaves¬ 
dropping. Recall that while quantum key distribution 
(QKD) [T3,[2 requires authenticated classical channels, 
it does not require authenticated (secure) quantum chan¬ 
nels because of potential eavesdropping. Actually, guar¬ 
anteeing secure key distribution without authenticated 
quantum channels is exactly the goal and definition of 
QKD. Therefore, the assumption of authenticated quan¬ 
tum channels has to be eliminated in a QDS to be of prac¬ 
tical value. In this paper, using single-photon qubit state 
and phase-randomized weak coherent states, we propose 
the first QDS protocol that eliminates the impractical 
assumption of secure quantum channels. Therefore, in 
respect to tackling the security problem merely requiring 
the authentication of classical communication, the basic 
assumptions und erly ing our QDS protocol are similar to 
that of QKD [111 . Il2| | and multiparty quantum communi¬ 
cation (quantum secret sharing) [^, [ij . 

We say a digital signature protocol is secure if it sat¬ 
isfies 0: unforgeability, non-repudiation and transfer- 
ability. Unforgeability means that a given piece of mes¬ 
sage indeed comes from the signer and remains intact 
during transmission, namely, no one can forge a valid 
signature that can be accepted by other honest recipi¬ 
ents. Non-repudiation means that once the signer signs 
a message, he/she cannot deny having signed it. Trans¬ 
ferability means that when an honest recipient of the 
signed message accepts a signature, other honest recip¬ 
ients will accept it as well. We define a QDS scheme 
to have £unf-unforgeabihty, representing that the prob¬ 
ability for an adversary to create a valid signature is 
not greater than Eunf- Similarly, we say a protocol is 
with Enor-non-repudiation when the probability for the 
signer to repudiate a legitimate signature is not greater 
than Enor- Thereby, a QDS protocol is defined to have 
Esec-security when it satisfies both eu„f-unforgeability and 
£nor-non-repudiation, with Cunf + ^nor < Esec- Consider- 
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ing robustness, Erob is the probability that the protocol 
will be aborted even with the absence of an adversary. 

In this paper, we consider a simple and most impor¬ 
tant case with three participants, i.e., one signer and two 
recipients. Then the property of transferability becomes 
equivalent to non-repudiation [ 1 , 0 . The QDS protocols 
using two copies of single-photon states and decoy-state 
method are proposed in Sec. II and Sec. IV, with the 
security analyzed in Sec. III. 


II. QDS WITH TWO COPIES OF 
SINGLE-PHOTON STATES 

There are three stages when implementing our three- 
participant QDS protocol, namely, the distribution stage, 
the estimation stage and the messaging stage. We in¬ 
troduce a two-photon six-state QDS protocol to illus¬ 
trate our basic idea. There are six single-photon quan¬ 
tum states, \H), \V), |±) = {\H) ± \V))/\/2, |i?) = 
{\H) + i\V))/V2 and \L) = {\H) - i\V))/^/2. The 
six states can be arranged into twelve sets |+)}, 

{|+), 1^)}, {l^), I-)}, {!-), \H)}, {\H), |i?)}, {\R), IV)}, 
{|V),|L)}, {\L),\H)}, {|+),|i?)}, {|i?),|-)}, {\-),\L)}, 
{|L),|-|-)}, where the first state of each set represents 
logic 0 and the second logic I. 

The distribution stage: For each possible future mes¬ 
sage TO = 0 and TO = 1, Alice prepares two copies of a 
sequence of N single-photon quantum states. For each 
quantum state, Alice randomly chooses one of the twelve 
sets and generates one of two non-orthogonal states in 
the set. Afterwards, she sends one copy to Bob and 
the other to Charlie through insecure (unauthenticated) 
quantum channels. For each quantum state. Bob and 
Charlie randomly and independently perform a polariza¬ 
tion measurement with one of the three bases {Z, X,Y}, 
and store the corresponding classical bit. Bob and Char¬ 
lie will announce the result if their detectors have no click, 
and then Alice, Bob and Charlie will discard all the cor¬ 
responding data and keep the left M bits. For each quan¬ 
tum state, Alice announces from which set she selects the 
state through the authenticated classical channels. Bob 
(Charlie) compares his measurement outcomes with the 
two states. If his measurement outcome is orthogonal 
to one of the states, he concludes that the other state 
has been sent, which represents a conclusive result. Oth¬ 
erwise, he concludes that it is an inconclusive outcome. 
Let Pg (Pq) be the probability that Bob (Charlie) has a 
conclusive result for each received quantum state; in the 
ideal case, P^ = Pq = P'^ = 1/6. Note that Bob and 
Charlie do not announce whether they have a conclusive 
outcome. 

The estimation stage: The signer Alice chooses the 
desired recipient, for example Bob, who will be the au¬ 
thenticator in the messaging stage. Then Alice informs 
the other recipient, Charlie, to randomly choose Mt bits 
as the test bits used to estimate correlation (if Charlie is 
the authenticator chosen by Alice, Alice will inform Bob 


to randomly choose test bits as well). Charlie announce 
the location of test bits and Alice publicly announces the 
bit information of those test bits. Bob (Charlie) calcu¬ 
lates the mismatching rate e/j (ec) of conclusive results 
from the test bits. When or Cq gets too high, they 
announce to abort the protocol. Besides, when or 
Pq shows a big deviation from the ideal value = 1/6, 
they also announce to abort the protocol. Otherwise, 
Bob and Charlie announce the mismatching rate and the 
probability, {e^,P))} and {cqjPq}, respectively. Alice, 
Bob and Charlie only keep untested bits, denoted by 
Sa, Sb and Sc- 

The messaging stage: To sign one-bit message to, Alice 
sends the message to and the corresponding bit string Sa 
to the authenticator. Bob. Bob checks the mismatching 
rate PbE% between Sa and Sb, where Eg is the mis¬ 
matching rate of the conclusive results. The inconclusive 
outcomes are considered to match Alice’s announcement 
bits automatically. If the mismatching rate Eg < Ta {Ta 
is the authentication security threshold). Bob accepts the 
message. Otherwise, he rejects it and announces to abort 
the protocol. After Bob accepts the message, he for¬ 
wards it and the corresponding bit string Sa to the veri¬ 
fier Charlie. Charlie checks the mismatching rate P^E^c 
between Sa and Sc, where Eq is the mismatching rate of 
the conclusive results. If the mismatching rate Eq < T„ 
(T„ is the verihcation security threshold), Charlie accepts 
the forwarded message, otherwise he rejects it. 

Note that the distribution stage is a quantum process, 
while the estimation and messaging stage are classical 
communication processes. The time interval between the 
distribution stage and estimation stage is arbitrary. The 
estimation stage is employed to estimate the parameters 
Ta and T„, which are used for the messaging stage. Af¬ 
ter the distribution stage, once Alice wants to sign the 
message, she will start the estimation stage and the mes¬ 
saging stage. As Alice is the signer, she can identify the 
one who is the desired recipient (namely the authentica¬ 
tor) before the estimation stage. Therefore, the roles of 
Bob and Charlie are equivalent, either of them can be 
the receiver of the message and forwards it to the other. 


HI. SECURITY ANALYSIS 

In the three-participant QDS protocol, at most one 
participant can be an adversary, because the majority 
vote is usually used to resolve the dispute li,i|. Then, 
the only potential attack strategy can be either the repu¬ 
diation of the signer or the forgery of the authenticator. 

We are now interested in why our scheme can prevent 
adversary’s attack without authenticated quantum chan¬ 
nels. For Alice’s repudiation attack, authenticated quan¬ 
tum channels cannot help her because the quantum states 
are prepared by herself. During the estimation stage, 
exploiting the random sampling theorem, one can esti¬ 
mate the correlation strength between Bob’s and Char¬ 
lie’s received quantum states. Therefore, the SWAP test 
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FIG. 1. (color online). Practical implementation of the three-participant QDS protocols. Alice’s setups for Scheme I (II) are 
shown respectively on the upper (lower) panel on the left. For the parts of Bob and Charlie, the setups are located on the right, 
which are shared by both schemes. AM: amplitude modulator used to prepare decoy-state, PM: polarization modulator used 
to prepare polarization states or active basis selection, BS: 50:50 beam splitter used to prepare two copies of quantum states, 
PBS: polarization beam splitter, D1-D4: single-photon detectors. 


and symmetry operation of Bob’s and Charlie’s quantum 
states or classical bits can be removed in our protocol, 
which are realized by authenticated quantum channels 
d, d, IsHl^ [isL IT^ or secure classical channels [1, d, [l3 
in other protocols. For Bob’s forgery attack, exploit¬ 
ing the random sampling theorem, Charlie can estimate 
the correlation strength between the quantum states Al¬ 
ice sends and those Charlie receives without authenti¬ 
cated quantum channels, whereas in previous protocols, 
authenticated quantum channels are required to guaran¬ 
tee that one copy of the quantum state Charlie receives 
has not been tampered with. Detailed security analysis 
are shown in Appendix A. 

When Bob forges, Alice and Charlie are automatically 
regarded as honest. A successful forgery means that 
the dishonest Bob forges (tampers) the message bit and 
Charlie accepts it. Bob is unable to discriminate two 
copies of six-state (or four-state) without any error, since 
an unambiguous discrimination among C linearly depen¬ 
dent qubit states is only possible when at least C — 1 
copies of the states are available [l^. For this reason, 
we can restrict Bob’s forgery attack even when quan¬ 
tum channels are insecure. We consider the case that 
Bob is restricted to collective forgery attack where his 
optimal strategy is to acquire the information of each 
quantum state Charlie receives as much as possible (ex¬ 
ploiting quantum de Finetti theorem [T^ . we expect that 
our scheme could guarantee the security against coher¬ 
ent forgery attack, which should be studied in the future). 
Thus, Bob’s attack strategy in the two-photon six-state 
QDS protocol can be reduced to the eavesdroppin g at tack 
of Eve in the six-state SARG04-QKD protocol [201 [2l| 
given that the two-photon source is used. With the en¬ 
tanglement distillation techniques [ll|,[2lj , we can obtain 
the upper bound of Bob’s information Ibc about Char¬ 
lie’s conclusive-result bits as (see Appendix B) 

2 _ 3 

Ibc = H{ep\eb), Sp = — - - 


where H(ep\eb) is the conditional Shannon entropy func¬ 
tion; Bp and Bb are the phase and bit error rates, re¬ 
spectively. If a bit is flipped, the probability of a phase 
shift will be In the QDS protocol, Bb is the ex¬ 

pectation value of mismatching rate between Alice’s bits 
and Charlie’s conclusive results in the untested portion. 
Therefore Bb = Bq + 5i, 5i is the finite sample size effect 
which can be quantified by the random sampling without 
replacement [22| with the failure probability ei. In order 
to optimally implement the forgery attack. Bob will at¬ 
tempt to make the mismatching rate between his guessed 
bits and Charlie’s conclusive-result bits reach the mini¬ 
mum value Sc- Employing the properties of min-entropy 
and max-entropy , Sc can be given by 

H{Sc) > 1 - Ibc, ( 2 ) 

where H(x) = —x log 2 x — (l — x) log 2 (l — x) is the binary 
Shannon entropy function. There is no chance for Bob 
to make a successful forgery in the ideal case when Char¬ 
lie’s verification threshold satisfies T„ < Sc- However, 
considering the sampling with finite number of indepen¬ 
dent Bernoulli random values, the observed average value 
can be less than the expectation value with a probabil¬ 
ity quantified by the Chernoff bound Thus, the 

probability that Charlie accepts (CA) the message forged 
by Bob is negligible as 

ei = Pr(CA) < exp[- ^‘^°^^^"’^ (3) 

where PqMu is the number of Charlie’s untested 
conclusive-result bits. 

When Alice repudiates. Bob and Charlie are automat¬ 
ically regarded as honest. A successful repudiation hap¬ 
pens when Alice disavows the signature, with the mes¬ 
sage accepted by Bob and rejected by Charlie. Alice 
must treat each quantum state received by both Bob 
and Charlie in the same way since the conclusive re¬ 
sults of quantum states they acquire are random, which 
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is similar to Ref. Q. Conclusive results of partial quan¬ 
tum states can be acquired by Bob and Charlie simul¬ 
taneously, which can be used in the estimation stage to 
estimate the correlation strength between the quantum 
states they receive. Thus, exploiting the technique intro¬ 
duced in Ref. Q , our QDS scheme can guarantee security 
against the coherent repudiation attack even if the sym¬ 
metry operation (optical multiport) Q is removed. Let 
At (A) be the mismatching rate between Bob’s and Char¬ 
lie’s test (untested) bit string when they both have con¬ 
clusive results. Let Pb {Pc) be the expectation value of 
the mismatching rate between Alice’s and Bob’s (Char¬ 
lie’s) untested bits. Due to random sampling, we have 
At < e^-l-e^. At-I-(52 = A > Pc/Pq-Pb/Pb^ where 62 
is the finite sample size effect quantified by the random 
sampling without replacement (22l | with failure probabil¬ 
ity e 2 . When the two thresholds satisfy T„ > Ta + A, the 
probability that Bob accepts (BA) a message and Charlie 
rejects (CR) it is negligible as 


£2 = Pr(RA, CR) = exp 


{A-P-^T^f 

2A 



(4) 


where A = Pb is a physical solution of the following 
equation and inequalities 

(a-pi^t,)^ [Pgr. - Pg (a/p| + a)]^ 

2A 3P^(A/P-+A) ’ (5) 

P^Ta<A<P^{n- A). 


The robustness quantifies the probability that Bob re¬ 
jects (BR) a message with the absence of an adversary. 
The probability can be given by 


£,ob = Pr(PP) - e^, 

exp[- 2(„+fcWl-A) ]^(^^fc^^) 

y^27rnA:A(l — X)/{n + k) 


h{n, k, A, t) =- 
C{n^ k, A) = exp^ 


1 


-b 


1 


1 


8 {n + k) 12k 12kX+l 
1 


12fc(l - A) -b 1/ 


( 6 ) 


Detailed security analysis and calculation can be founded 
in Appendix B. 


IV. DECOY-STATE QDS 

The above idea using two ideal single-photon sources 
can be practically implemented by weak coherent states 
with the decoy-state method . The schematic lay¬ 

out of our practical QDS with phase-randomized weak 
coherent states, Scheme I and II, are shown in Fig. 1. 
Scheme I and Scheme II have a few additional parts than 
the above two-photon six-state QDS scheme, i.e., decoy- 
state modulation and announcement. In the distribution 
stage of Scheme I, Alice exploits amplitude modulator 



FIG. 2. (color online). Signature rates versus total se¬ 
cure transmission distance. For simulation purposes, we 
employ the following experimental parameters: the intrin¬ 
sic loss coefficient of the ultralow-loss telecom fiber chan¬ 
nel is 0.160 dB km~^ [^. For superconducting nanowire 
single-photon detectors, the detection efficiency is 93% and 
the dark count rate is 1.0 x 10“^ [ 2 ^. The quantum bit 
error rate between Alice’s and Bob’s (Charlie’s) system is 
E ~ 1.0%. The ratio of random sampling is d = Mt/M = 
30%. The security (robustness) bound is £sec < 1.0 x 10“® 
(Erob < 1.0 X 10“®). The verification and authentica¬ 
tion thresholds {T^^Ta} of two-photon six-state (four-state) 
QDS is {6.45%, 1.50%} ({4.05%, 1.20%}); {r„,Ta} of six- 
state and four-state in Scheme I (II) are {4.07%, 1.17%} 
({4.275%, 1.20%}) and {3.46%, 1.12%} ({3.44%, 1.12%}), re¬ 
spectively. The intensities of six-state for Scheme I are 
p = 0.34, iz = 0.16, a; = 0.01 and 0. The probabilities of 
six-state for Scheme I are = 55%, Pi, = 25%, Pu, = 18% 
and Po = 2%. The intensities of four-state for Scheme I are 
p = 0.12, = 0.08, uj = 0.008 and 0. The probabilities of 

four-state for Scheme I are = 52%, P^ = 23%, Pu, = 23% 
and Po = 2%. The intensities of six-state for Scheme II are 
fii = 0.17, izi = 0.08 and 0. The probabilities of six-state 
for Scheme II are = 57%, Po,mi = l%i Fmi.o = !%> 

P^i.^i = 30%, Po.^i = 5%, P^i.o = 5% and Poo = 1%. 
The intensities of four-state for Scheme II are pi = 0.075, 
izi = 0.04 and 0. The probabilities of four-state for Scheme 
II are P^,fi, = 60%, Po.^^ = 1%, P^^.o = 1%, P.i,.i = 27%, 
Po,i^i = 5%, Pi. 1,0 = 5% and Poo = 1%. 


(AM) to randomly prepare weak coherent state pulses 
with four intensities, p, v, lu, 0 {^ > u > uj > 0). 
Their probability distributions are set as Pi_i, P,^, P^, 
and Pq. Two copies of quantum states can be gener¬ 
ated by 50:50 beam splitter (BS). The phases of Al¬ 
ice’s signal laser pulses can be internally modulated 
[ 2 ^ , which guarantees the security against unambiguous- 
state-discrimination attack . In the distribntion stage 
of Scheme II, with a 50:50 BS and two AMs, two copies of 
weak coherent state pulses are generated and utilized to 
modulate the following seven sets of intensities: {pi, pi}, 
{pi,0}, {0,pi}, {jzi,0}, { 0 , 1 ^ 1 } and {0,0} with 

fii > vi > 0. Their probability distributions are set as 

Pu-iOi Povi and Poo- AVe de¬ 
fine {pi,pi} as the signal-state set, while other six sets 
compose the decoy-state set. In the estimation stage of 
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Scheme I (II), Alice announces the intensity information 
of each pulse, the polarization information of all decoy 
states (decoy-state sets), and a portion /3 of the signal 
state (signal-state set) that is randomly selected by Bob 
or Charlie. For the signal state (signal-state set), the 
/3 portion of data are regarded as test bits, while the 
remaining ones are untested bits to be used in the mes¬ 
saging stage. 

The randomly selected test bits are used to defeat the 
repudiation attack. The decoy-state method is used to 
estimate the yield and bit error rate of two-photon com¬ 
ponent, which are exploited to defeat the forgery attack. 
For Alice’s repudiation attack, the decoy-state method 
does not bring any advantage because the decoy state 
data are not used for test bits. For Bob’s forgery attack, 
the decoy-state method cannot bring any advantage since 
the decoy states are randomly prepared by Alice. The 
standard error analysis method 31| is used for estimat¬ 
ing the statistical fluctuation in the decoy-state method. 
We remark that the roles of Bob and Charlie in Scheme I 
(II) are equivalent, either can be the authenticator. De¬ 
tailed analysis and calculations are shown in Appendix 
C. 


We simulate the signature rates R of our QDS schemes 
as functions of total secure transmission distance L, as 
shown in Fig. 2. Here, the signature rate is defined as 
R = 1/{2N) because we employ 2N qubit states to sign 
one bit of classical message. We consider the symmetric 
case where the distance between Alice and Bob (Charlie) 
is L/2. For weak coherent states in Schemes I and II, we 
present an analytical method to estimate the parameters 
of two-photon component. Figure 2 also shows signa¬ 
ture rates of four-state QDS for comparison. The linear 
optical elements and threshold single-photon detectors 
constituting measurement devices are used in our QDS 
schemes by the universal squash model [s^. The detec¬ 
tor error model [s^ is applied to calculate the detection 
probability and error rate of quantum states. Accord¬ 
ing to the simulation result, if we consider the system 
with 10 GHz clock rate and six-state polarization encod¬ 
ing, we can generate a signature rate of 294 bps for a 
channel length of 100km with two copies of single-photon 
source, 0.78 bps (1.12 bps) for Scheme I (H) with phase- 
randomized weak coherent states over the same distance. 


V. CONCLUSION 


In this work, we propose a QDS protocol with the im¬ 
mediate feasibility of implementing it over a distance of 
more than 100 km. The signature rate in our protocol can 
achieve better performance at longer distance than previ¬ 
ous protocols due to, among others, the Chernoff bound 
and the decoy-state method. We anticipate that the sig¬ 
nature rate could be significantly increased by adopting 
tighter bound in the sampling theory, e.g., the tighter 
Chernoff bound in [2^. Similar to QKD, any photon- 
number distribution source, such as the coherent-state 


superpositions [sj, can be used for QDS. It may not be 
easily generalized to more participants with the scheme 
in this paper. In QDS with more participants, other as¬ 
pects should be considered, such as colluding attack 
efficiency and resource, which should be studied in the fu¬ 
ture. We remark that after submitting our manuscript, 
we became aware of another independent work imple¬ 
menting QDS with unauthenticated quantum channels, 
however, it still requires secure classical channels [i3- 
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Appendix A: DETAILED SECURITY ANALYSIS 


1. Security against repudiation 

In a repudiation case, the dishonest signer Alice suc¬ 
cessfully cheats two honest recipients Bob and Charlie. 
Here, Charlie selects the test bits which can be regarded 
as the random sampling since Charlie is an honest partic¬ 
ipant. We exploit the technique introduced in Ref. Q to 
prove that the general quantum repudiation attack (i.e., 
coherent attack) relative to individual repudiation attack 
does not provide any advantage. For each possible future 
message to be signed, m = 0 and m = 1, Alice sends N 
quantum states PBi,Ci,...,BnCn (arbitrary form) to Bob 
and Charlie, respectively. Therein, M quantum states 
are received both by Bob and Charlie. Bob and Charlie 
directly measure the received quantum states and store 
them as classical bits. Charlie randomly selects Mt bits 
from M bits as the test bits in the estimation stage. The 
remaining Mu = M — Mt untested bits are used in the 
messaging stage. If and only if both Bob and Charlie 
receive a quantum state can the event be used for pro¬ 
viding the security against repudiation. Otherwise, Alice 
can simply make Bob accept the message but Charlie re¬ 
ject it. In the six-state QDS, for each received quantum 
state, the probability is = 1/6 that Bob (Charlie) has 
a conclusive result combining with the set of quantum 
state in the ideal case (P'^ = 1/4 for four-state QDS). 
Alice is not able to know which quantum state can be 
confirmed by Bob or Charlie. Therefore, from the per¬ 
spective of Alice, she must treat each quantum state re¬ 
ceived by Bob (Charlie) in the same way. We define 1(0) 
as the event that the measurement result of Bob or Char¬ 
lie mismatches (matches) Alice’s announcement. If Bob 
or Charlie does not have a conclusive result, the result is 
considered to match Alice’s announcement automatically. 
We encode each matching result of Bob’s and Charlie’s 
untested bits as classical-quantum state \ip'%) and \ipc), 
respectively, with (pg,(pQ = 0,1. 
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The classical-quantum state of matching outcomes of 
Bob and Charlie used in the messaging stage can be writ¬ 
ten as 

Pc= Y P(Ph^---^PcMj^\‘Pc,)Wci\- 

(Al) 

The successful repudiation probability relies on the state 

— Ph® plb- (^2) 


Charlie receive are not correlated with others and not re¬ 
quired to be identical. The matching result of Bob’s and 
Charlie’s untested bits (used in the messaging stage) can 
be regarded as independent Bernoulli random variables 
that satisfy Pr((^^. = 1) = and Pr((p^. = 1) = 
i G {1, 2,..., Mu}. Let Xb = l/Mu E, pI, and Ac = 
l/Mu Ei Pc-^ expectation values of Xb and Ac are 
denoted as Pb = l/Af„EjPB and Pc = 
respectively. An observed outcome of As (Ac) is repre¬ 
sented Bs Xb (aic)- 

If the authentication mismatching rate satisfies xb < 
P%Ta {Pb represents the probability of Bob’s conclusive 
results), Bob accepts the signed message. By exploiting 
Chernoff Bound the probability of Bob accepting 

(denoted as BA) a valid message can be given by 


The repudiation process can be described by the follow¬ 
ing classical-quantum state 

7?.ep(p“) = p(p“)|S'uc)(S'uc| -I- [1 -p(p“)]|Fa*)(Faj|, 

(A3) 

where the orthogonal states \Suc) and \Fai) represent 
success and failure of repudiation, respectively. The state 
p“ is a convex combination of states. 


P{PCi^ ■ ■ ■ ^‘PCMj^\‘PB.){PBMpK){PCi\ 

= Yp^^^pp 

3 

The successful repudiation probability is given by 
Tr[|S'^lc)(S'^lc|7^ep(p“)] 


= Tr 


|S'uc)(iS'uc|7?.ep 

V? P{j)P3 

3 

= Yp^^'>P^Pi'>- 


(A5) 


Since '^jP{j)p{pj) is a convex combination of probabili¬ 
ties and J2jP{j) = 1) we have 


Yp^^'IP^P^^ - = maxp(pj). 

3 3 


Therefore, the maximum value of the successful repudia¬ 
tion probability is acquired based on one individual state 
Pj. That is, the optimal individual repudiation attack 
can give out the upper bound of the repudiation attack. 

In the individual repudiation attack, Alice sends in¬ 
dividual and possibly different quantum states to Bob 
and Charlie. Each pair of the quantum states Bob and 


Pr(BA) = Pr(PB - xb > Pb - P%Ta) 


< exp 


{Pb - P%Tuf 
2 Pb 



(A7) 


where Pr(i3A) is a strictly decreasing function for pa¬ 
rameter Pb, 1 > Pb > If tbe verification mis¬ 

matching rate xc > PqPv {Pq represents the probabil¬ 
ity of Charlie’s conclusive results), Charlie will reject the 
signed message. By exploiting Chernoff Bound [23, , 

the probability of Charlie rejecting (denoted as CR) a 
valid message can be given by 


ore 


(AS) 


where Pr(i?A) is a strictly increasing function for param¬ 
eter Pc, 0 < Pc < PePy. 

A successful repudiation means that Bob accepts the 
signed message and Charlie rejects it. The probability 
can be written as 


Pr(PA, CR) < sup{min{Pr(PA), Pr(C'P)}}. (A9) 

Under reasonable conditions, in order to make the value 
of Pr(PA, CR) as large as possible, Alice will make the 
parameter Pc as large as possible and Pb as small as 
possible. Because we remove the SWAP test @ and 
symmetry operation (optical multiport) @ (to guaran¬ 
tee that the quantum states that Bob and Charlie receive 
are identical), Pb = Pc will no longer be satisfied. How¬ 
ever, we can restrict the difference between Pc and Pg. 
Thereby, the upper bound of the successful repudiation 
probability can be restricted. 

For all quantum states received by both Bob and 
Charlie, Bob (Charlie) records a string of data = 
{2/Bi,2/B2,---,2/Bm} {yc = {2/Ci,2/C2,---,2/Cm})- Here, 
DBi represents the fth data and one has j/Bi G {0,1,T}. 
TjBi = 0,1 {yBi =T) represents that Bob has a conclu¬ 
sive (inconclusive) outcome. Let (3^c) ^e the test bit 
string which is a random sample of size Mt of J^b (3^c) 
and the remaining untested bit string is 3^]) (J^c)- 
ilarly, the bit string of Alice is yA (3^a = 3^^ ^rid 
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FIG. 3. (color online). Schematic representation of different 
bit strings. The left black frame (right yellow frame) rectangle 
represents the string of test (untested) bits. The horizontal 
red shadow (vertical blue shadow) represents the bit string of 
Bob’s (Charlie’s) conclusive results. 


we have dai G { 0 , 1 } for the quantum states prepared by 
Alice. As is clear from the above descriptions, we have 

V’Bi = vX ®yBi and (fc, = yX®yCi (0> 1 ® -L:= 0)- Let 

y% = y'§ U y<§^ and y^ = y^ U y^ represent the bit 
strings of Bob’s and Charlie’s conclusive results, respec¬ 
tively. yAB — yAB ® 3^ab represents Alice announc¬ 
ing the bit string corresponding to y^ = y^ U y^, 
while yxc — yXc ® yXc represents Alice announcing 
the bit string corresponding to y^ = y^ U 3^™. Let 
Z% = Z<§ U Z™ (Zg. = Z^ U Z^) represents the bit 
string of Bob (Charlie) given that Bob and Charlie both 
have conclusive results, and the corresponding bit string 
of Alice is Z\ = ZX U Z™. A visualized schematic of 
the relationship between the above bit strings are shown 
in Fig. El 

Exploiting relative Hamming distance and the random 
sampling theorem, for the arbitrary bit string Alice an¬ 
nounces, the expectation value A can be given by 


A = dH(Z^“, Zg^) > dH(Zr, Zg“) - dH(Zr, Z^“) 

= MyTc^yc)-MyxB,yB) 

= Myxyc)/Pc - MyxyB)/PB 
= Pc/Ph - PbIpx 

(AlO) 

The test distance At can be given by 


At = dH(z#, zX) < MzX.zX) + MzX, zX) 

= My^B^yX) + MyXc^yX) = ^% + 

(All) 

Here, e% (e^) is the mismatching rate between Bob’s 
(Charlie’s) conclusive results of test bits and Alice’s an¬ 
nouncement bits, which can be acquired in the estimation 
stage. Taking into account the random sampling without 
replacement theorem [l^, we have 


A = At -bJa, 


=g[P^P%Mu,P^P%Mt,^ueX 


(A12) 


g{n,k,X,e) = 


2(n + fc)A(l — A) 
nk 


X Win 


Xn + kC{n, k, A) 


C{n, k, A) =exp^ 


V'^TmkXil - A)e’ (^ 13 ) 

1 1 1 


8{n + k) 12k 12kX+l 

1 


12 A :(1 - A) -b 1/ 


where £2 is the failure probability, PqP^Mu and 
P^P^Mt are the numbers of untested bits and test bits 
given that both Bob and Charlie have the conclusive re¬ 
sults, respectively. 

From Eq. (1M1)-Eq. dMl), we know that the optimal 
probability that Bob accepts a message while Charlie re¬ 
jects it is 


£2 = Pr(HA, CR) = exp 


2A 



(A14) 


where A = Pb is a physical solution of the following 
equation and inequalities 

{A-P^^Tgf [Pgr„ - Pg (A/P° + A)]^ 

2 A 3P^(A/P|-bA) ’ (A15) 

< A < P%{R - A). 


The protocol is with £„or-non-repudiation, where £nor = 
£2 + £ 2 - 


2. Security against forgery 

In a forgery case, the dishonest recipient. Bob, can suc¬ 
cessfully deceive two honest participants, i.e., the signer 
Alice and the other recipient Charlie. Bob authenticates 
the validity of the message sent by Alice, while Charlie 
verifies the validity of the message forwarded by Bob. 
Here, the test bits Charlie selects can be regarded as 
the random sampling since Charlie is an honest partici¬ 
pant. The forgery is successful when Charlie accepts (de¬ 
noted as CA) the forged (tampered) message forwarded 
by Bob. For all conclusive measurement outcomes of the 
untested bits, Charlie records a string of data 3^™ = 
’^Lere = P^AR is the num¬ 
ber of conclusive measurement outcomes of the untested 
bits. It is obvious to see 3^™ C y^ and y™ G {0,1} 
for * G {1,..., Lc} . Let y%-p = ^ , ygV, J 

represents the bit string Bob forwards corresponding to 
3^™. We consider the case that Bob is restricted to col¬ 
lective forgery attack in which his optimal strategy is to 
correctly guess the information of each quantum state as 
much as possible. We assume that the upper bound of 
Bob’s information Ibc about Charlie’s conclusive result 
bits can be acquired with failure probability ei. Note that 
the values of estimating the information are different for 
various protocols and will be analyzed in the following 













































section. Let Sc be the mismatching rate between y^p 
and y^. In order to optimally implement the forgery 
attack, Bob will make Sc reach the minimum value with 
Ibc- So the minimum mismatching rate Sc can be given 
by 


H{Sc) > HrnaAC\B) > = 1 - Ibc, (A16) 

where H{x) = —x \ 0 g 2 X— (1 — cc) log 2 (l — cc) is the binary 
entropy function. The max-entropy Hmax(C\B) is upper 
bounded by the minimum number of bits of additional 
information about y^ which are needed to perfectly re¬ 
construct y^ from y’j^p. The min-entropy Hmin{C\B) 
quantifies the minimum uncertainty that Bob has about 
3 ^™ using the optimal attack strategy. 

Let Xq = ’ ■ • ■! ‘P'cl } be a set of independent 

Bernoulli random variables which represent the matching 
results between Charlie’s conclusive measurement out¬ 
comes of the untested bits and those Bob forwards, i.e., 
^c'i = Vcl ® ViiFi- Let = 1/LcY.^ip^cp the expec¬ 
tation value of Xq can be given by E[X^] = Sc- An 
observed outcome of Xq is represented as Xq. If the 
verification mismatching rate satisfies Xq < T„, Charlie 
accepts the forged message. There is no chance that Bob 
successfully forges in the ideal conditions when the veri¬ 
fication threshold of Charlie satisfies Ty < Sc- However, 
considering the sampling with the case of finite number 
of independent Bernoulli random values, the observed av¬ 
erage value can be less than the expectation value with 
a negligible probability. The probability that Charlie ac¬ 
cepts (denoted as CA) a forged message can be given 
by 


£1 = Pt{CA) = Pr(5e -xh>Sc- Ty) 


(A17) 


The protocol is with Eunf-unforgeability, where eunf = 
El -I- ei. Therefore, the security level of the QDS can be 
given by 


— '^nor “f £^unf 


= £1 -I- £2 + ei -I- £2- 


(A18) 


3. The robustness 

£rob is the probability that the protocol is aborted 
when the adversary is inactive. In the estimation stage, 
let Bp be the mismatching rate of conclusive results of 
Bob’s test bits. Exploiting random sampling without re¬ 
placement theorem , in the messaging stage, the mis¬ 
matching rate Ep of conclusive results of Bob’s untested 
bits can be given by (with no adversary existing) 


(A19) 


where e' is the failure probability, PpMy and PpMt are 
the numbers of untested bits and test bits given that Bob 
has conclusive results, respectively. If one has Eb > Ta, 
Bob rejects (denoted as BR) the message sent by Alice. 
The probability can be written as 


£pob = Pr(Hi?) < £' =h{PI,My, P%Mt, E%, Ta - E%), 


h(ri, k, A, t) 


exp[- 2 (n+^l(l-A) ]C'(^^fc^^) 

Y^27rnfcA(l — X)/(n + k) 

(A20) 


Appendix B: Two copies of single-photon states 


In the following, we analyze Bob’s information Ibc 
about Charlie’s conclusive result bits in the two-photon 
six-state (four-state) QDS in detail. Besides, we calculate 
the signature rate and the corresponding security bound 
in the practical fiber-based protocol. 

We consider the case that Bob is restricted to collec¬ 
tive forgery attack in which his optimal strategy is to 
correctly guess the information of each quantum state as 
much as possible. Therefore, the attack strategy of Bob 
in two-photon six-state QDS protocol is equivalent to the 
eavesdropping attack of Eve in the six-state SARG04- 
QKD protocol [13, HIl given that the two-photon source 
has been taken into account (In the QKD protocol, the 
two communication parties, Alice and Bob, trust each 
other while the eavesdropper Eve is the untrusted ad¬ 
versary). In the unconditionally secure SARG04-QKD 
protocol [m, an virtual entanglement-based protocol is 
proposed. Exploiting the unconditionally secure entan¬ 
glement distillation protocol with two-photon, the upper 
bound oi Ibc = Ie — H{ep\eb) can be estimated [Tl|. 
The relationship between phase error rate Cp and bit er¬ 
ror rate et with the six-state SARG04-QKD cannot 
be provided. Therefore, we generalize the method pro¬ 
posed in Ref [ll| to find out the relationship. 

Some notations should be defined. The four quantum 
states are written as |(/?o) = cos^lOa,) -I- sin |(^o) = 

-sin||0a;) -I- cos 11 la;), \‘pi) = cos ||0a;) - sin 11 la;) and 
\(pi) = sin||0a;) -I-cosflla;). Therein, |(^o) and I^jq) 
are eigenstates of basis , \(pi) and \‘-pi) are eigen¬ 
states of basis - A filtering operator reads E = 
sin ^|0a;)(0a;| -l-cos ^|la;)(lx| and a — ^ rotation around Y 
basis reads R = cos jl + sin ^(|la;)(0a;| — |0a;)(la;|), note 
that i?|vJi) = |(/3o)- Tq = I represents an identity oper¬ 
ator, Ti = cosjl — i sin j represents a ^ rotation 

around basis, T 2 = cos jl — i sin ^ represents 
a I rotation around basis. 

The entanglement-based protocol can be describe 
in the following (2lj | . For each quantum sig¬ 
nal, Alice prepares an entangled state |4 'ab) = 

( 1 /V 2 )(| 0 z)aI<Po)bI<Po)b + | 12 )aI‘^i)bI‘^i)b)- Alice ran¬ 
domly applies a rotation T/i?^ to system B, with I G 
{0,1,2} and k G (0,1, 2,3}, then she sends system B 


Bb — Gb + 9[BbM^u, PB^t,e.%x']i 













9 


to Bob through the insecure (unauthenticated) quantum 
channel. After some possible intervention from Eve, Bob 
receives the quantum state. Bob randomly applies the 
rotation R~^ Tj7^ to the qubit state and a filtering oper¬ 
ation whose successful operation is descried by Kraus op¬ 
erator F. A successful filtering corresponds to a conclu¬ 
sive result of Bob. Alice and Bob then publicly announce 
{fc,/} and meanwhile, they keep the quantum 

states with k = k',l = I'. Bob randomly chooses some 
quantum states as test bits. Alice and Charlie measure 
them in Z basis. Then, they compare the partial mea¬ 
surement outcomes to estimate bit error rates and the 
information that Eve acquires. 

Let /Oqubit represents a pair of qubit states that Alice 
and Bob share, which can be given by 


Pqubit = ^ P[Ia 0 FRB''Ti-"E^BTi,R’hm,k,u)], 

l,k u 

(Bl) 

where I G {0,1, 2}, k G {0,1, 2,3}, u G {0,1} and 

= (0,|Ab|w.), 

Eb is a 4 X 4 matrix which depends on Eve’s operation 
and we can safely assume that the final state of Eve’s 
system is a particular state |0a;). The probabilities of bit 
flip and phase shift can be given by 


Pbit = Px + Py , 
Pph = Pz + Py ^ 


where 


Px =Tr[pqubit I«'+)(«'+]], 
Py =Tr[pqubit|4/-)(4/-|], 
Pz = Tr[pq,bit|$-)($-|]. 


(B3) 


(B4) 


If Cpbit + C"pfii > Pph holds, then Ccb + C" > Cp is expo¬ 
nentially reliable as the number of successfully filtering 
states increases [2l|. pgi = Tr[pqubit] is the trace of state 
Pqubit- It is very clear to see that pgi, pbit and Pph are 
the functions of eight elements and their conjugates, i.e., 
PM = P'Amc^, Pbit = P'Abitc^ and Pph = P'AphC^. Am, 
Abit, and Aph are 8x8 matrices, the eight elements in c 
are directly taken from Eb- If CAbit+ C"Afii —Aph > 0 is 
a positive semi-definite matrix, Cpbit + C'pfn > Pph will 
always be satisfied. After a complex calculation accord¬ 
ing to the above formulas, we can acquire the relationship 
between phase error rate and bit error rate 


2-\/2 


2^ 


66, 


(B5) 


in the two-photon six-state SARG04-QKD. Therein, the 
probability that both bit and phase occur error is Py = 


With the same method, for the single-photon 
six-state SARG04-QKD, we have Cp = |e6 and Py = 
166. In the asymptotic case, Ibc can be given by 


Ibc =Ie = H{ep\eb) 


= - {1 +a-eb-Bp) log2 


I -I- a - 66 - Cp 
1-66 


(6p 


a) log 2 


Bp — a 
1-66 


(66 - a) log 2 


Bb- a 
Bb 


- alog2 —, 
66 


(B6) 

where P(6p|e6) is the conditional Shannon entropy func¬ 
tion, a = Py = 66 quantifies the mutual information 

between bit and phase errors. 

In the two-photon four-state QDS scheme, there are 
four single-photon BB84 quantum states |P), \V), |-|-) = 
m + \V))/^, I-) = m - \V))/V2. The four 
states can be divided into four sets {|P), |+)}, {|+), |E)}, 
{|I4), |—)}, {|—), \H)}, where the first state from each set 
represents logic 0 and the second state logic I. In ad¬ 
dition to the preparation of quantum states, other pro¬ 
cesses are the same with the two-photon six-state QDS 
scheme. The entanglement distillation protocol can be 
converted to the unconditionally secure two-photon four- 
state SARG04-QKD. In the asymptotic case, the rela¬ 
tionship between the phase error rate and the bit error 
rate can be given by [2ll | 


. f 3 — 2x -I- \/6 — %\f2x F 4a;^ 1 ^ 

"I 6 J 

(B7) 

Meanwhile, we can set a = Py = 66 x 6p, which corre¬ 
sponds to no mutual information between bit and phase 
errors. 

Hereafter, the detector error model [1^ is applied to 
estimate the detection probability and error rate of quan¬ 
tum states. In the simulation, we simply apply the case 
that Alice and Bob do not interfere with the protocol. 
The overall gain Q can be given by 


Q = [1 - (I - ro)(I - 77 b)][ 1 - (I - Ko)(I - 77 c)], (B8) 


which indicates the ratio of the number of Bob’s and 
Charlie’s detection coincidence events to Alice’s number 
of emitted signals. Fq represents the probability that 
Bob’s (Charlie’s) detector clicks when the input of Bob 
(Charlie) is a vacuum state. Because of active basis se¬ 
lection, we have Yq = 2 pd{l—pd), where pd represents the 
dark count rate of each detector. rjB = rjd x \Q-°‘^ab/w 
ivc = Vd X represents the transmission effi¬ 

ciency from Alice to Bob (Charlie). Here, we consider a 
widely used fiber-based setup model. Therein, rid repre¬ 
sents the detection efficiency. Lab (Lac) is the distance 
between Alice and Bob (Charlie), a is the intrinsic loss 
coefficient of the fiber. Taking into account the universal 
squash model [s^, the threshold single-photon detector 
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can be used in our scheme. The gain of Bob’s conclusive 
results and Charlie’s conclusive results are given by 

Qb = ^[(1 - Vb)Yo + (^ + ed)vB][l - (1 - do)(l - vc)] 
= PbQ, 

Qc = ^[(1 - Vc)Yo + (^ + ed)?7c][l - (1 - >b)(l - Vb)] 
= PcQ, 

(B9) 

where ed represents the misalignment in the channel, for 
six-state scheme, z = ^, for four-state scheme, z = ^. 
The overall quantum bit error rate (QBER) of Bob’s con¬ 
clusive results and Charlie’s conclusive results are given 
by 


esQs = 2 [i(l - r]B)Yo + edVB][l - (1 - >b)(l - Vc)], 
PcQc = ^[^(1 - Vc)Yo + ed7?c][l - (1 - yo)(l - Vb)], 


(BIO) 

The amount of Charlie’s randomly selected test bits is 
Mt = PQN, the remaining bits = (1 — I3)QN are 
untested bits. In the QDS protocol, et is the expecta¬ 
tion value of mismatching rate between Alice’s bits and 
Charlie’s conclusive result bits in the untested portion. 
Therefore Cb = -I- , 5i is the finite sample size effect 

which can be quantified by the random sampling with¬ 
out replacement theorem 22| with failure probability ei. 
Therefore, we have 


5i=g[P^cMu,P^Mt,e‘c,ei]. (Bll) 


Note that the security thresholds satisfy Ta < Ty < Sc, 
the supremum of Sc can be given by 


H{sup{Sc}) = 1 - H{ini{ep\eb}), 


= 1-H{ 


2 - \/2 


(B12) 


It is obvious to see that the supremum of Sc is 7.9135% 
in the two-photon four-state QDS, which is equal to that 
in the two-photon six-state QDS. However, the six-state 
scheme is more robust than the one with four-state, for 
instance, given et = 1%, one has Sc = 7.4564% for six- 
state and Sc = 4.5035% for four-state. 


Appendix C: Weak coherent states 


1. Practical QDS with Scheme I 

Note that in the case of repudiation, the dishonest 
signer Alice successfully cheats two honest recipients Bob 
and Charlie. Thus, the test bits Charlie or Bob select can 
be regarded as the random sampling since Charlie (Bob) 
is honest in the repudiation case. Therefore the test bits 
can be used for the security against the repudiation at¬ 
tack. In the case of forgery, only one recipient is dishonest 


while the signer is honest. The decoy states are randomly 
prepared by Alice which can be used to prove the secu¬ 
rity against forgery attack. Therefore, the roles of Bob 
and Charlie are equivalent in the decoy-state-based QDS 
protocol, both Bob and Charlie could be the authentica¬ 
tor. 

The overall gain Q\ can be given by 

Qa = [1 - (1 - Yo)e-^^-][l - (1 - Yo)e-^^% (Cl) 


where A G The gain of Bob’s conclusive re¬ 

sults and Charlie’s conclusive results are given by 


Ql, =z[Yoe-^^- + (i + e,)(l - 
X [1 - (1 - Yo)e-i^^] = 
=z[Y,e-^^- + (i + e,)(l - 

X [l-{l-Yo)e-^^-]=P^cxQ^ 

A” 


=E 


-A ' 


rYcn 


(C2) 


n=0 


where Ycn is the yield given that Alice sends n-photon 
pulse, both Bob’s and Charlie’s detectors click and Char¬ 
lie has a conclusive result. The overall QBER of Bob’s 
conclusive results and Charlie’s conclusive results are 
given by 


PbxQ^x + ed{l - 

X [l-(l-ro)e-^’'^], 

CcaQca =^[2® -I-ed(l — e 2’’®’)] 

X [l-(l-yo)e-^''^] 
yn 

~ ^ ^ ^ T^Cn^Cni 

n\ 

n—0 


(C3) 


where ecn is the QBER of n-photon given that Alice 
sends n-photon pulse, both Bob’s and Charlie’s detec¬ 
tors click and Charlie has a conclusive result. Exploiting 
the decoy-state method [1^ , the yield Yc 2 and QBER 

ec 2 of two-photon components in signal-state can be es¬ 
timated. The lower bound of yc '2 and upper bound of 
ec 2 can be given by 

^C2 >- 7 --w- 

— cj) I 

- - v‘^)e^Qcu, - 

-f [/x3(i/-a;)-fz/^(a;-/x)-ha;^(/r-i/)](5co}> 

ec2 <— 7 — f^CuQcu - 
— UJ)Yc2 

— (w — l^)eQQQQQ\ . 

(C4) 

In the decoy-state method, the finite sample size effect 
should be taken into account. We exploit the standard 
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error analysis method [3l| to calculate the statistical fluc¬ 
tuation. Thus, we have 

where Nx is the number of pulses given that Alice sends 
weak coherent states with intensity A. N\Qq^ is the 
number of pulses given that Alice sends weak coherent 
states with intensity A and Charlie has a conclusive re¬ 
sult. Thus, we have N\ = P\N and P\ is the probability 
of intensity A. 

Only the contribution of signal-state can be used as 
test bits and untested bits. The amount of Charlie’s ran¬ 
domly selected test bits is Mt = /3Q^P^iV, the remaining 
bits Mu = {1 — l3)Qij,Pfj,N are untested bits. The distance 
A is written as 

A = At+ 62 , At=e%^ + ec^, 

^2 = glP^P^Mu, P^P^Mt, At, £ 2 ]. 

Because an unambiguous discrimination among C lin¬ 
early dependent states of a qubit space is only possible 
when at least C — 1 copies of the states are available 
M- In the six-state QDS with phase-randomized weak 
coherent states, Bob cannot unambiguously discriminate 
the polarization states when Alice sends 3-photon or 4- 
photon pulses. For simplicity, we only consider the con¬ 
tribution of the two-photon component. For vacuum- 
state and single-photon component, there is a negligible 
probability to indicate a successful event due to the low 
dark count rate. Therefore, we can assume that Bob can 
guess the bits of Charlie’s conclusive results without er¬ 
rors unless Alice sends two-photon component pulses. 

The optimal probability of Bob accepting the message 
while Charlie rejecting is 

£2 = Pt{BA, CR) = exp[--^-(^7) 

where A is the physical solution of the following equation 
and inequalities. 


Ty 2 and Qq 2 mismatching rate threshold and the 

gain (lower bound) of the two-photon component, respec¬ 
tively. The security level of the protocol can be written 
as 


^sec — ^nor ^unf 


= £1 -I- £2 -I- £2 -I- 7 £ 3 , 


(Cll) 


where 7£3 is the failure probability due to the decoy-state 
method, and 


€3 



'dt, 


(C12) 


rial is the number of standard deviations, we set riai = 
4.753 for simulation. The probability of the robustness 
is 


Erob = Pt{BR) < e' 

= h[P%^Mu,P%^Mt,e%^,Ta - e%^]. 


(C13) 


2. Practical QDS with Scheme II 

The overall gain can be given by 


= [!-(!- ro)e-'^''-][l - (1 - (C14) 


where { 7 , y} = {fii, 0 }, { 0 ,Aii}, 

{ 1 / 1 , 0 }, { 0 , 1 / 1 } and {0,0}. The gain of Bob’s conclusive 
results and Charlie’s conclusive results can be written as 


-f (i + e,)(l - 
X [1 - (1 - ^0)6-^"^] = 

+ (^ + ed)(l - 

X [1 - (1 - ^ 0 ) 6 -^""] = Ph^i^Q^x 


00 00 n 

= X! e“^—Ycnm, 

n\ ml 

n—0 m—0 


(C15) 


(/4 - Ph^Tu^ [P&,Ty - (A/P|^ + A)]^ 

3Pa^(A/P|^ + A) 

Ph^Ta <A< P%^{Tu - A). 

(C 8 ) 

The optimal probability of Charlie accepting a forged 
message is 


£1 = Pr(C'A) = exp 


(5c - Tu 2? Qh2 


25c 


Q: 


Cfj, 


Pci^Mu 


(C9) 

where ■^S^Pn.,Mu is the minimum number of Charlie’s 

conclusive result bits in the untested bits given that Alice 
sends two-photon component pulses, and 


where Fcnm is the yield that both Bob’s and Charlie’s 
detectors click and Charlie has a conclusive result given 
that Alice sends n-photon pulses to Bob and m-photon 
pulses to Charlie. The overall QBER of Bob’s conclusive 
results and Charlie’s conclusive results are given by 


=4^e-^^^Yo + e4l - 

+ e.(l - (^6) 

X [1 - (1 - ^ 0 ) 6 -^"®] 


00 00 


,,n 


n—0 m—0 


e~'^—e~^—en Yn 

— / / ^ I ^ I ^Gnm-^Cnm? 

n\ ml 


T„2 — P 


Q 


Cll 


Q 


C2 


Qc2=e->^^Y^2- 


(CIO) 


where erjnrn. is the QBER. Exploiting the decoy-state 
method |M . 1^ . the yield Ycii and QBER ecu of the 
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two-photon component in the signal-state set can be esti¬ 
mated. It is clear that the estimation of Yen and ecu is 
similar to that used in measurement-device-independent 
QKD [ 2 ^. So Yen and ecu can be written as [M 

Yen > 


- 1 ^ 1 ) 




+ (Mi ~ ^^i)Qcoo} 


(C17) 


and 


ecu < 




i^tYcn 




-e'^^e^co.rQho. 


°coo Qcooj ■ 


(CIS) 

We exploit the standard error analysis method to calcu¬ 
late the statistical fluctuation. Thus, we have 




7X 


1± 


^oc2 


^IxQc-yx 


(C19) 


Here, is the number of pulses given that Alice sends 
weak coherent states with intensity set { 7 ,%}. Thus, 
Njy. = P-yxN and is the probability of intensity set 
{7,X}- 

Only the contribution of signal-state set can be used as 
test bits and untested bits. The amount of Charlie’s ran¬ 
dom selected test bits is Mt = and the 

remaining bits = (1 — are untested 

bits. The distance A is written as 

^ = ^* + <52, 

52 = g[P^cPhMu,P^cPhMu^ue2]. 

The optimal probability of Bob accepting the message 
while Charlie rejecting is 


(C20) 


£2 = Pr(PA, CR) = exp[— 




-Mu 


2A *■ "J’ 

(C21) 

where A is the physical solution of the following equation 
and inequalities, 

2A 

^ [PctJ.i^LiPv - PciJ.i^Li + ^)] (C22) 

P^B^,^,Ta<A<P^S^^^^{Tu-A). 

The optimal probability of Charlie accepting a forged 
message is 

= Pr(Cx4) 


= exp 


(gc-r.ii)" Qhn 


2S, 


Q\ 


C/ii/xi 




(C23) 


where 


Qcii 


pc 

Cfiifii 


Mu is the minimum number of Char¬ 


lie’s conclusive result bits in the untested bits given that 
Alice sends two-photon component pulses, and 


(C24) 

Veil 

Tull and Ocii mismatching rate threshold and 

the gain (lower bound), respectively. The security level 
of the protocol can be written as 


S'sec 


— ^nor 


T '^unf 


— £1 + £2 T ^2 T llc4- 


(C25) 


where 11 €4 is the failure probability due to the decoy- 
state method, and 


\ poo ^2 

€4 = ^= (C26) 

V ^TT J 7X^2 

na 2 is the number of standard deviations and we set 
na 2 = 4.845 for simulation. 

The probability of the robustness is 

ffrob = Pr(PP) < e' 

= h[PBfj.iti^Mu,PBfi^iiiMt,e%^^^^,Ta — 

(C27) 


3. Decoy-state method cannot help the adversary 

For Alice’s repudiation attack, the dishonest signer 
Alice attempts to cheat two honest recipients Bob and 
Charlie. Since quantum states are prepared by Alice, 
multi-photon component will provide no advantages for 
Alice. Only the contribution of signal-state (set) can be 
use as test bits and untested bits in the QDS with phase- 
randomized weak coherent states. The security analysis 
of repudiation attack does not use the information of the 
decoy-state. Therefore, the decoy-state method does not 
bring any advantage for Alice’s repudiation. 

In the case of Bob’s forgery attack, the dishonest au¬ 
thenticator Bob attempts to cheat the honest signer Alice 
and the honest verifier Charlie. The decoy-state method 
is used to estimate the yield and bit error rate of two- 
photon component sent by Alice given that Charlie has a 
conclusive result. Furthermore, the decoy-state method 
is used to estimate the minimum number (maximum 
average information Ibc) of Charlie’s conclusive result 
bits given that Alice sends two-photon component pulses, 
which is used for security against forgery attack. Thus, 
Alice and Charlie are honest and they trust each other 
while Bob is dishonest in the d ecoy -state method. We 
recall the decoy-state QKD that two communi¬ 

cation parties trust each other while the eavesdropper 
Eve is an untrusted adversary. Bob is an active partici¬ 
pant in the QDS scheme, i.e., he will announce the result 
whether his detector has a click. Meanwhile, Bob can 
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exploit the insecure quantum channel to decide which 
qubit (location) has the chance to be detected by Char¬ 
lie. The above two aspects are equivalent to that Bob 
can decide the effective event. In the QKD protocol, Eve 
can also decide which qubit (location) has the chance to 


be detected by the receiver as the effective event, such as 
the photon-number-splitting attack [s^. Therefore, the 
decoy-state method cannot bring any advantage for Bob 
to forge in the QDS. 
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